Question: why has air travel become so painful? Because the threat posed by bad actors requires making everyone jump through hoops before letting them board a plane. To the point that, despite obvious requirements to ensure air safety, some are now openly questioning if the cure is not worse than the disease.

Registering a domain name could be about to go the same way. Simply put, the cops that police the Internet are working on some major hoops for domain owners. The disease they are taking aim at is cybercrime. Is their proposed cure a lot more hammer on nail than the precise surgical intervention needed to take the bad actors out of the equation without making life too difficult for law abiding citizens?

12 recommendations

For around a year now, registrars and ICANN, the entity that contracts them to sell domains names, have been locked in negotiations around a set of 12 "recommendations" originally made by law enforcement agencies (LEAs) such as the FBI or Interpol. Just over the last 3 months, both parties have engaged in 6 negotiating sessions, including 2 full days of face-to-face meetings that were, according to participants, physically exhausting. Registrars have not been taking this issue of cybercrime lightly…

In fact, most of the recommendations that LEAs have presented as being positive steps towards fighting cybercrime have been agreed to by registrars and are thus ready to be implemented into the new registrar contract that ICANN expects to enforce once the negotiations are ended.

But predicting when that might be is difficult, because both parties are now deadlocked over a couple of law enforcement asks that are, frankly, likely to significantly negatively impact the experience of registering a domain name.

The main point of contention is around the issue of verifying WHOIS data. This is the information — name, address… — that a domain registrant provides to the registrar to and that is then posted in a public database. LEAs want this data verified, and that seems entirely reasonable. What appears less so is the proposed methodology.

Double checks

Facing strong pushback from registrars in earlier negotiations, ICANN has moved away from the idea of requiring WHOIS data to be verified before a domain goes live. But in agreeing to the principle of data verification post resolution (the action of making a domain work on the Internet, i.e. point to a website or email), ICANN is now asking registrars to verify two sets of data.

A registrar would have to ensure that both telephone and email data submitted is kosher. How? One example for phone verification could be sending SMS messages with a code that the domain owner would then have to enter online. Email verification would require a similar "respond to the message we send to prove to us this address works" approach.

Why are registrars baulking at this? Well, for one it is likely to make it more difficult for them to service customers outside their country. It will increase their processing costs, with expected rises in domain registration fees if these increases are passed on to customers. It may become a nightmare for those who register large quantities of domain names. Verification emails may get caught in spam filters, thereby preventing timely registration of domain names. And is usually the case with heavy handed blanket security measures, it is more likely to cause headaches to legitimate domain users than to deter cyber criminals. After all, a determined cyber criminal would have no problem passing these tests.

Registrars are not arguing against the obvious need to have good data in WHOIS. But they are advocating a more cautious approach. "Let us test one of these two methods for a while instead of imposing both at the same time," they are saying, "then let's all evaluate the impact both on the consumer experience and cybercrime."

Keeping data personal

There is also the privacy issue. Among ideas being touted is an obligation on domain owners to provide a phone number as registrants (currently, only administrative and technical contacts are required to provide phone numbers).

Another is to re-verify data after a period of time, to make sure it has not gone "stale". A policy already exists with ICANN called WHOIS Reminder whereby registrars are obligated to send out yearly emails to domain owners (one per domain!) asking them to check their WHOIS data. Although currently domain owners are not required to act on the emails, they do cause confusion and anxiety amongst individuals who either do not understand why there are being targeted by these emails or tend to worry that they are in danger of losing their domain names.

Despite this, and the fact that the current policy has not been sufficiently reviewed to test its true efficacy, the suggestion is to go one step further. Active rechecking of the data would be required, and a domain name could be suspended if this step is not completed. That's right, fail to re-verify your WHOIS data because you either missed one email amongst the hundreds you get each day, or your spam filter blocked it, and you may end up with no website and emails!

Yet another privacy issue is a requirement that LEAs would impose on registrars to have them hold registration data for 2 years. This is simply illegal in some countries, where companies are forbidden by law to hold on to private data for such a long period of time.

Speak up!

It's important to stress that at this stage, all these ideas are just that. But should ICANN decide to enforce them on registrars, domain owners could be in for a really painful experience in years to come.

There will be public discussion sessions on the registrar/ICANN negotiations in Toronto, during the upcoming ICANN meeting (October 14 to 18). ICANN is calling for community comment during the ongoing negotiations and during these sessions.

So if you don't want your domain user experience to become more convoluted than air travel, then log in, dial in or turn up. And make yourself heard!

Comments

The biggest impact, IMHO, is going to be on large corporate entities in which people responsible for actually getting things done are only reachable through a PBX menu after dialing a main telephone number. Automated telephone verification will uniformly fail in those circumstances, and IT personnel who have been managing domain names for years, and have internalized historic policies, may not realize why it is failing.

Oh well, it's what they want. It's going to be fun to watch the ensuing meltdown.

Automated telephone verification will also fail with the hearing impaired, and even the speech impaired (who could otherwise hear, but don't have any use for a phone).

What needs to be done is that verification of identity needs to be open to other means. Even email is finding fewer and fewer users, and justifiably so (because the spam problem isn't solved, among others).